Your HR and Payroll compliance and policy solution! Comply with federal, state, and international laws, find answers to your most challenging questions, get timely updates with email alerts, and more with our suite of products.

NEWS

Health Care Policy Report™ offers the inside story on health care regulation
and policy, with behind-the-scenes news and analysis of developments in
Congress, the federal agencies, and the...

A change to how covered entities must evaluate whether they are required to
notify individuals when their personal information has been breached is being
described as one of the most significant new provisions in the long-anticipated
final omnibus Health Insurance Portability and Accountability Act rule.

The rule's broad requirements for business associates and their contractors
also are among now-final HIPAA regulations, making organizations that do
business with health care companies liable for complying with many of the
Privacy and Security rule and data breach notification obligations.

The Department of Health and Human Services Office for Civil Rights published
the rule,
which actually embodies four final rules covering a broad range of HIPAA issues,
in the Jan. 25 Federal Register (78 Fed. Reg. 5,565; see related
story). Covered entities and business associates have until Sept. 23 to
comply with most provisions. In the case of existing business associate
agreements, covered entities have until September 2014 to make changes.

Attorneys and others who spoke to BNA Jan. 18 said the breadth of the rule,
alone, was a significant new development, even though covered entities and
business associates already had been required to comply with most of the
provisions that were in interim final rules.

“The big news is that the starting gun is sounded now and business associates
will be scrambling to get into compliance by September this year,” attorney
Reece Hirsch with Morgan, Lewis & Bockius LLP in San Francisco, told BNA.
“That's a big shift in the regulatory landscape. We've seen it coming, but the
clock is ticking.”

Attorney Lisa J. Sotto, with Hunton & Williams LLP in New York, called
the enormity of the regulations a significant administrative burden for covered
entities and business associates to absorb.

Harm Standard Replaced

Hirsch and Sotto agreed that perhaps the single biggest change in the final
omnibus rule was OCR's removal of the so-called risk of significant harm
standard that, in the interim final breach notification rule required covered
entities to notify individuals their protected health information (PHI) had been
breached if they determined through a risk assessment that the individuals could
suffer financial, reputational, or other harm.

Although a majority of public comments to OCR on the data breach rule
supported the standard, concerns were raised that the standard was too
subjective and gave covered entities, in some instances, too much latitude to
avoid notification.

OCR replaced the risk of significant harm standard with a provision that
requires covered entities and business associates to notify individuals of a
breach unless a risk assessment determines a “low probability” that the breached
data were compromised.

OCR also described four factors that risk assessments must consider:

• the
nature and extent of the PHI involved, including the likelihood data could be
reidentified;

• the
unauthorized person who used the PHI or to whom an improper disclosure was
made;

• whether
the PHI was actually acquired or viewed; and

• the
extent to which the risk to the PHI was mitigated.

Hirsch said the new standard is more concrete and leaves less wiggle room for
when a notification must be made.

“HHS was concerned there were some who were abusing the latitude [in the
interim rule],” he explained.

Hirsch described the shift as a “big change, but not a radical departure,”
from the interim rule, adding that the ultimate determination for notifications
under the interim and now final rules was always meant to be based on a risk
assessment.

However, Sotto said the shift to the presumption that a breach has occurred
unless there is a demonstration of low probability of compromised PHI poses a
“significant administrative burden” for covered entities and business
associates.

“It's a dramatic shift away from [the focus on] injury to the individual,”
she said.

The significance, she explained, is that HHS is now requiring a formal risk
assessment for breach notifications even if an entity does not believe a breach
rises to a notifiable event.

Notification Timing

Sotto also said the 60-day limit for notifying individuals of a breach was
burdensome, noting that 60 days is the “outer limit” and that HHS may, in some
cases, determine a breach should have been reported to individuals sooner.

“This is strong language,” she said.

The timing for reporting breaches did not change from the interim rule, but
some had hoped HHS would reconsider the 60-day requirement, Sotto said.

Sotto advised that covered entities and business associates that experience a
breach work as quickly as possible to understand whether it is a notifiable
event. That means, she said, risk assessments must be done quickly, and if the
determination is made that there was a notifiable breach, covered entities must
act fast to figure out which individuals must be notified.

She said third-party consultants often are useful in those situations, not
just for conducting forensic investigations, but also for “extracting and
putting in logical format” information about affected individuals and tracking
down their contact information.

Business Associate Obligations

One of the biggest changes in the omnibus rule were provisions that extend
Privacy and Security rule compliance obligations to business associates, those
organizations that do business with covered entities. The rule likewise
finalized the definition of business associates to include subcontractors of
business associates whose work involves PHI.

Hirsch said that while the final rule did not make major changes to the
business associate provisions, it presents a significant compliance obligation
for a host of organizations not covered by HIPAA rules before the Health
Information Technology for Economic and Clinical Health (HITECH) Act was signed
into law in 2009.

Hirsch said he had hoped OCR would include new, additional guidance language
for business associate agreements in the final rule, but there was little more
in the way of such guidance than was in the proposed rule.

Chief among the obligations for business associates and subcontractors will
be complying with much of the HIPAA Security Rule, including requirements that
organizations have security policy and procedures in place.

The final rule also will mean covered entities must rewrite all their
business associate agreement to reflect obligations of those organizations,
Sotto said.

In some cases, large health systems or organizations that are HIPAA-covered
entities have as many 20,000 business associates, Sotto said. Covered entities
will have until September 2014--a full year after the compliance date for most
of the other provisions--to bring existing business associate arrangements into
compliance with the final rule, but Sotto said redrafting the deals will be a
“massive” undertaking.

One of the biggest concerns will be for companies that subcontract with
business associates and deal with PHI but have no idea they now are obligated to
comply with strict HIPAA rules, she said.

Hirsch said covered entities are not legally obligated to look down the chain
of contractors to affirmatively determine which ones are required to comply with
HIPAA rules, but that business associate agreements must define the duties of
business associate organizations in ensuring their relevant contractors are in
compliance. Nevertheless, the new requirements will raise the bar for contractor
scrutiny from covered entities down the line.

Implementation Concerns

Angela Dinh Rose, director of HIM solutions at the American Health
Information Management Association in Chicago, told BNA that one of the
challenges facing covered entities will be implementing new Privacy Rule
requirements, mandated in the HITECH Act, that give patients the right to
request electronic copies of their health records and to prohibit covered
entities from sharing treatment information with health plans when the patients
pay out of pocket.

Rose said many health care organizations are moving toward electronic health
records, which often include a patient portal component, so complying with the
access requirement will be less cumbersome than the requirement to let patients
restrict how their data are shared.

Operationally, she explained, covered entities will have to determine whether
their systems are capable of flagging services for nonreporting, and maintaining
those flags beyond a single incident.

Likewise, Rose advised, covered entities will need to train staff on
recognizing that flagged data and what to do with it.

Covered entities also will be required to issue new privacy rights
statements, which provider groups are calling a major implementation
challenge.

In a statement, Medical Group Management Association President and Chief
Executive Officer Susan L. Turney said physician practices are worried about
rewriting and reissuing notices of privacy practices by September.

All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to books@bna.com.

Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)

Notify me when updates are available (No standing order will be created).

This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to research@bna.com.

Put me on standing order

Notify me when new releases are available (no standing order will be created)